The purpose of the Cybersecurity Research and Development Amendments Act of 2009 is to improve the coordination and prioritization of federal cybersecurity research and development activities, to strengthen the cybersecurity workforce, and to reauthorize cybersecurity related programs at the National Science Foundation.

The purpose of the Cybersecurity Coordination and Awareness Act of 2009 is to authorize the Director of the National Institute of Standards and Technology (NIST) to coordinate United States Government representation in international cybersecurity technical standards development. The bill also tasks NIST to develop and implement a cybersecurity awareness and education program, increase development focus on identity management technical standards, and reinforce work currently being done in security specifications for government information systems.

II. Background and Need for the Legislation

Information technology (IT) has evolved rapidly over the last decade, leading to markedly increased connectivity and productivity. The benefits provided by these advancements have lead to the widespread use and incorporation of information technologies across major sectors of the economy. This level of connectivity and the dependence of our critical infrastructures on IT have also increased the vulnerability of these systems. Reports of cyber criminals and nation-states accessing sensitive information and disrupting services have risen steadily over the last decade, heightening concerns over the adequacy of our cybersecurity measures.

According to the Office of Management and Budget, Federal agencies spend $6 billion annuallyon cybersecurity to protect a $72 billion IT infrastructure. In addition, the Federal government funds $356 million in cybersecurity research each year. Despite this spending, the Government Accountability Office continually says the U.S. IT infrastructure is vulnerable to attack and the Federal agencies tasked with its protection are not fulfilling their responsibilities.

On May 29, 2009, the Obama Administration released a 60-day review of cyberspace policies across the federal government. The document details a number of near-term and mid-term action plans and states that it will not only take increased organization and coordination within the Federal government, but also extensive public-private partnerships and international collaboration to achieve these recommendations.

Specifically, the review recommends the development of an R&D framework that focuses on strategies for innovative technologies with the potential to enhance the security, reliability, resilience, and trustworthiness of the digital infrastructure. In the mid-term, it recommends that federal agencies expand support for R&D to ensure the Nation’s continued ability to compete in the information age economy.

The task of coordinating unclassified cybersecurity R&D lies with the Networking and Information Technology Research and Development (NITRD) program, which was originally authorized in statute by the High-Performance Computing Act of 1991 (P.L. 102-194). The NITRD program, which consists of 13 federal agencies, coordinates a broad spectrum of R&D activities related to information technology. It also includes an interagency working group and program component area focused specifically on cybersecurity and information R&D.

At a Technology and Innovation Subcommittee hearing on Thursday, October 22, witnesses discussed ways NIST can act on three of the Cyberspace Policy Review recommendations. The first of the Cyberspace Policy Review recommendations calls for a single entity to coordinate United States government representation for cybersecurity technical standards and develop an engagement plan for use with international standards bodies. Currently, the United States is represented by an array of organizations including the Department of State, Department of Commerce, Federal Communications Commission, and the United States Trade Representative. There needs to be a central coordinating strategy to guide the activities of these representatives and address the convergence of telecommunication, internet, and video devices and the inclusion of IT in the U.S. infrastructure (Healthcare IT and SmartGrid).

The second Cyberspace Policy Review recommendation is to address the need for a cybersecurity awareness and education campaign. Experts have stated that NIST’s technical standards and best practices are too highly technical for widespread use, and making this information usable by average internet users with less technical expertise will help raise the base level of cybersecurity knowledge among individuals, business, education, and government.

The third recommendation relates to the need to increase efforts in developing identity management systems. Identity management systems identify an individual for purposes of controlling access to resources, physical areas, or information (e.g. passwords, key cards, or biometrics). The Cyberspace Policy Review states that cybersecurity cannot be improved without first improving identity management. NIST currently has programs in identity management systems such as biometrics, but improvements need to be made in the interoperability and usability of these systems to encourage their growth and adoption.

In the 107th Congress, the Science and Technology Committee developed the Cyber Security Research and Development Act (P.L. 107-305). The bill created new programs and expanded existing programs at the National Science Foundation (NSF) and the National Institute of Standards and Technology (NIST) for computer and network security. The authorizations established under the Cyber Security Research and Development Act expired in fiscal year 2007.

III. Subcommittee Actions

Cybersecurity Research and Development Amendments Act of 2009

The Subcommittee on Research and Science Education heard testimony in the 111th Congress relevant to the activities authorized in the bill at hearings held on June 10 and June 16, 2009. During the first hearing, the Subcommittee focused on priorities and existing gaps in the cybersecurity research portfolio, as well as the adequacy of cybersecurity education and workforce training programs. The Subcommittee heard from witnesses from academia and the private sector, including: 1) Dr. Seymour Goodman, Professor of International Affairs and Computing and Co-Director, Georgia Tech Information Security Center, Georgia Institute of Technology; 2) Ms. Liesyl Franz, Vice President, Information Security and Global Public Policy, TechAmerica; 3) Dr. Anita D’Amico, Director, Secure Decisions Division, Applied Visions, Inc.; 4) Dr. Fred Schneider, Samuel B. Eckert Professor of Computer Science, Department of Computer Science, Cornell University; 5) Mr. Timothy Brown, Vice President and Chief Architect, CA Security Management.

On June 16, 2009, the Subcommittee on Research and Science Education and the Subcommittee on Technology and Innovation held a joint hearing entitled “Agency Response to Cyberspace Policy Review.” The hearing reviewed the response of the Department of Homeland Security, the National Institute of Standards and Technology, the National Science Foundation, and the Defense Advanced Research Projects Agency to the findings and recommendations in the Administration’s 60-day Cyberspace Policy Review.

The Subcommittee on Research and Science Education met to consider the Cybersecurity Research and Development Amendments Act of 2009 on September, 23, 2009 and considered the following amendments to the bill:

Mr. Lipinski offered an amendment to reauthorize NSF’s cybersecurity research centers program, and to clarify the responsibilities and requirements of scholarship recipients and awardee institutions in the monitoring and reporting of information related to a scholarship recipient’s service obligation. The amendment was agreed to by a voice vote.

Ms. Johnson offered an amendment requiring that the strategic plan describe how the program will increase the diversity of the cybersecurity workforce and specifying that the goal of promoting diversity be considered in the selection scholarships recipients. The amendment was agreed to by a voice vote.

Mr. Lipinski moved that the Subcommittee favorably report the bill, as amended, to the full Committee. The motion was agreed to by a voice vote.

During the hearing, the witnesses highlighted three recommendations for NIST from the review: 1) NIST should coordinate a US federal representation for international cybersecurity technical standards development because it has the technical expertise required, it is a non-regulatory agency, and is internationally respected; 2) NIST should carry out a cybersecurity awareness campaign; and 3) NIST should increase efforts in the area of identity management.

The Technology and Innovation Subcommittee met to consider the Cybersecurity Coordination and Awareness Act of 2009 on November 4, 2009. The Subcommittee considered a joint manager’s amendment offered by Representatives Wu and Smith, which was agreed to by a voice vote.

Mr. Wu moved that the Subcommittee favorably report the bill, as amended, to the full Committee with the recommendation that the bill pass. The motion was agreed to by voice vote.

IV. Summary of Major Provisions of the Prints

Cybersecurity Research and Development Amendments Act of 2009

The bill requires that the agencies participating in the NITRD program develop a strategic plan to guide the overall direction of federal cybersecurity and information assurance R&D. It requires the agencies to solicit recommendations and advice from the advisory committee and a wide range of stakeholders and that they develop an implementation roadmap for the strategic plan.

The bill reauthorizes cybersecurity workforce and traineeship programs at NSF, including through the Advanced Technological Education program, the Integrative Graduate Education and Research Traineeship program and the Graduate Research Fellowship program. It also requires that the President conduct an assessment of cybersecurity workforce needs across the federal government and formally authorizes NSF to carry out the Scholarship for Service program.

Additionally, the bill reauthorizes cybersecurity research at NSF, including through the Trustworthy Computing program and it requires that the Director of the Office of Science and Technology Policy convene a university-industry task force to explore mechanisms for carrying out collaborative R&D.

Cybersecurity Coordination and Awareness Act of 2009

The Cybersecurity Coordination and Awareness Act directs NIST to develop and implement a proactive plan to ensure a coordinated United States Government engagement in international cybersecurity technical standards development. This plan is due to Congress within one year of enactment.

NIST is also required to deliver a plan to Congress, within 90 days of enactment, describing how it will develop and implement a cybersecurity awareness and education program. NIST is to collaborate with relevant federal agencies, industry and educational institutions in developing this program. The purpose of the program is to disseminate cybersecurity best practices and standards and to make these standards and practices usable by individuals, small to medium-sized businesses, state and local governments and educational institutions. NIST is also directed to utilize established Manufacturing Extension Partnership networks (under section 25 of the NIST Act), to the extent appropriate, to make cybersecurity information available to small manufacturing companies.

The bill directs NIST to engage in research and development programs to improve identity management systems. The programs have the goals of improving interoperability among identity management technologies, strengthening authentication methods, and improving privacy protection.

The bill amends section 8(c) of the Cybersecurity R & D Act (15 U.S.C. 7406(c)) by requiring the director of NIST to develop or identify, and revise or adapt as necessary, checklists, configuration profiles, and deployment recommendations for products and protocols that minimize the security risks associated with each hardware or software system used by the Federal Government.

The bill amends section 20 of the NIST Act (15 U.S.C. 278g-3), by directing NIST to conduct a research program aimed at creating a standardized identity, privilege, and access control management framework that can be used to enforce a wide variety of resource protection policies. The framework should be usable in a wide variety of existing and emerging computing environments. The bill also directs NIST to research how to improve security of information systems, networks, and industrial control systems.

Section-by-Section

V. Section by Section Analysis of the Amendment in the Nature of a Substitute to H.R. 4061, which contains the contents of both cybersecurity prints in their entirety.

TITLE I - RESEARCH AND DEVELOPMENT

SEC. 101. DEFINITIONS

Defines the terms National Coordination Office and Program in the title.

SEC. 102. FINDINGS

Describes the findings of this title.

SEC. 103. CYBERSECURITY STRATEGIC R&D PLAN

Requires the agencies to develop, update and implement a strategic plan for cybersecurity research and development (R&D). Requires that the strategic plan be based on an assessment of cybersecurity risk, that it specify and prioritize near-term, mid-term and long-term research objectives, and that it describe how the near-term objectives complement R&D occurring in the private sector.

Requires the agencies to solicit input from an advisory committee and outside stakeholders in the development of the strategic plan. Additionally, it requires the agencies to describe how they will promote innovation, foster technology transfer, and maintain a national infrastructure for the development of secure, reliable, and resilient networking and information technology systems.

Requires the development of an implementation roadmap that specifies the role of each agency and the level of funding needed to meet each of the research objectives outlined in the strategic plan.

SEC. 104. SOCIAL AND BEHAVIORAL RESEARCH IN CYBERSECURITY

Requires the National Science Foundation (NSF) to support research on the social and behavioral aspects of cybersecurity as part of their total cybersecurity research portfolio.

SEC. 105. NSF CYBERSECURITY R&D PROGRAMS

Reauthorizes the cybersecurity research program at the NSF and includes identity management as one of the research areas supported.

Reauthorizes programs at NSF that provide funding for capacity building grants, graduate student fellowships, graduate student traineeships and research centers in cybersecurity.

Requires NSF to establish a postdoctoral fellowship program in cybersecurity.

SEC. 106. FEDERAL CYBER SCHOLARSHIP FOR SERVICE PROGRAM

Authorizes the cybersecurity scholarship for service program at NSF. The program provides grants to institutions of higher education for the award of scholarships to students pursuing undergraduate and graduate degrees in cybersecurity fields and requires an equal number of years of service as a cybersecurity professional in the federal government as a condition of the scholarship.

The program also provides capacity building grants to institutions of higher education, supporting such activities as faculty professional development and the development of cybersecurity-related curricula and courses.

SEC. 107. CYBERSECURITY WORKFORCE ASSESSMENT

Requires the President to issue a report assessing the current and future cybersecurity workforce needs of the federal government, including a comparison of the skills needed by each federal agency, the supply of cybersecurity talent, and any barriers to the recruitment and hiring of cybersecurity professionals.

SEC. 108. CYBERSECURITY UNIVERSITY-INDUSTRY TASK FORCE

Establishes a university-industry task force to explore mechanisms and models for carrying out public-private research partnerships in the area of cybersecurity.

SEC. 109. CYBERSECURITY CHECKLIST AND DISSEMINATION

Updates NIST’s authority for the National Checklist Program (NCP) which provides detailed guidance on setting the security configuration of operating systems and applications and requires NIST to develop automated security specifications with respect to checklist content.

SEC. 110. NIST CYBERSECURITY R&D

Amends the National Institute of Standards and Technology Act to authorize NIST, as part of their in-house research program, to develop a unifying and standardized identity, privilege, and access control management framework. Authorizes NIST to conduct research related to improving the security of information and networked systems, including the security of industrial control systems.

TITLE II ? ADVANCEMENT OF CYBERSECURITY TECHNICAL STANDARDS

SEC. 201. DEFINITIONS

Defines the terms Director and Institute in the title.

SEC. 202. INTERNATIONAL CYBERSECURITY TECHNICAL STANDARDS

NIST shall develop and implement a plan to ensure a coordinated United States Government representation in international cybersecurity technical standards development. This plan is due to Congress no later than one year after enactment.

SEC. 203. Promoting Cybersecurity Awareness and Education

NIST shall deliver a plan to Congress within 90 days describing how it will develop and implement a cybersecurity awareness and education program. The program shall be aimed at disseminating cybersecurity best practices and standards and shall include how NIST will make these usable by individuals, small business, state and local governments, and educational institutions. This plan will include how NIST can utilize established Manufacturing Extension Partnership networks to have cybersecurity information readily available to small manufacturing companies.

SEC. 204. Identity Management Research and Development

NIST shall engage in research and development programs to improve identity management systems.